GDPR as an Attack Surface: Mitigating the Risks

"Attached please find our DPA. Please have this document signed by an authorized signatory and send the completed agreement back to us at [...]"

Those two sentences were part of a legitimate email directed at the Cylance privacy team, but something about them left me in an uncomfortably familiar situation. The sense of urgency, and presumed obligation to open the document, was a tactic I have seen employed many times before. So I posted a quick thought on LinkedIn about the use of the General Data Protection Regulation (GDPR) as a new medium for email-based attacks involving requests for companies to complete Data Processing Addendums (DPA). I wrote this so I would not context-switch it into oblivion and pin it as a question to the cosmos that deserved a bit more attention later.

As a Deputy CISO, I know that GDPR has been a work in progress for over a year. Working with my peers in our Compliance team and our Chief Privacy Officer, I have been aware of the obligation and the consequences for some time now.

Prior to the GDPR, we had the 1995 Data Protection Directive, which set the minimum standards for processing data in the EU and applied to organizations that collect, process or store the personal information of EU residents. The GDPR prescribes considerably greater penalties than before in the event of a breach - €20 million (approx. $23,983,800) or up to 4% of annual global turnover. UK businesses, and all overseas businesses offering goods or services to the EU, will be obligated to prepare for GDPR before this date.

It’s the consequences of non-compliance that make the GDPR an ideal conduit to use for those with malicious intent. If you look across the myriad of articles and largely vendor-driven FUD about the topic, it becomes clear that it is a perfect subject for attackers to utilize. The stage is set for all kinds of attacks involving email as the primary medium: it involves a sense of urgency (as GDPR comes into effect this Friday, on May 25), an expectation that privacy-related DPA documents will be exchanged by email, and significant consequences if such emails are ignored.

Breaking Down GDPR Requests

So how do we tackle this? For companies and firms affected, the first logical step would be to build a pipeline through which all requests involving the GDPR are channeled, and include in that pipeline the right people, processes, and technologies to help mitigate this risk.

This approach is by no means perfect and I offer it merely as a starting point which can be improved by further defining/refining the moving parts involved in building such a process.
Let’s look at this one step at a time:

1)     Identify the right people to handle each of these requests.
2)     Establish procedures for workflow, from reception to the processing of DPA requests.
3)     Introduce technical controls into the workflow to detect/prevent potential attacks.
4)     Communicate the solution to all your stakeholders/employees.

Let’s break this down into People, Processes, and Technology further:

Step 1: People

When it comes to people, you have a few groups to consider:

  • Your Customers - Who will ask for your participation in completing a DPA.
  • Your Employees - Who may receive such requests, whether it is their job to reply or not.
  • Your Security Team - Or employees who are responsible for analyzing potentially malicious attachments (either manually or by driving the technologies you use to augment this task).
  • Your IT Team - Or others who may control the flow of email into your company; also, the people who have the admin rights to set up mailboxes or distribution lists (DL lists) to forward such requests through.
  • Your Web-Team - Or others who may own the publishing of web pages directing your customers to follow a process, or those who direct queries to a specific internal email address/ mailbox.
  • Your Customer Support/Success Team - Who may own the publishing of similar instructions to any internal customer portal you manage.
  • Your Legal Team - If you plan to advocate use of your own DPA as a first/fastest method of meeting the legal obligation.
  • Your Compliance or Privacy Team - Who actually complete the DPA work who should (in theory) receive only trusted documents to process.

Step 2: Processes

This is the pipeline through which you will want to funnel all requests pertaining to DPA document completion:

  • DPA Generation – Work with your legal team to generate your company’s preferred DPA document. Not all of your customers will accept it, but those who do will help reduce overhead for all involved parties. Once Legal has created a document, you can decide its data classification level and where/how you want to make it externally available (for example, via web, customer support portal, a link where customers can retrieve it, etc.).

  • Intake – Ideally this process could start with automated email filtering and markup, before it is even viewed by a human (more on this technology below). The process also involves routing all requests for a DPA to a given generic mailbox, distribution list or other automated method for further review/analysis. Even if the request is sent to the right recipients, it should follow the process and be routed accordingly.

  • Applicability – Some companies may want to introduce a step that verifies whether the asking party is someone who should be engaging in this request.

  • Analysis – All inbound requests can and should be analyzed. This could, for example, involve analyzing any attachments or hyperlinks where such documents are expected to be accessed. (Again, depending on your resources, this could be a combination of manual analysis, use of open source document analysis engines, or by pushing the entire process through automation.)

  • Completion – At this point, the content that tests safe could be assumed safe and sent to the mailbox or distribution list of the people who will actually process the request.

  • Awareness/Training – Once you have this in place you will need to educate your users about the risk you are seeking to mitigate, and the steps they should take to response to such emails.

  • Communication – Once you have established this workflow, you will need to communicate it to your customers and partners. Posting it to your public website, in your customer portals, sharing via a newsletter, etc. are all options you should consider. The degree to which you wish to advertise this is a business decision that only you can make.

Step 3: Technology

The technology you’ll be using and relying on for each of these steps should not be overlooked. For example:       

  • Infrastructure - In order to build out the pipeline mentioned above, you’ll want to establish mailboxes or DL/distribution lists to standardize the workflow from an outsider’s perspective. As an added benefit, this may also reduce some of the risks of spearphishing.

  • Email Tagging/Markup - Emails about GDPR and requests for DPAs will include those rather unique strings to introduce pre-delivery markups on email. Depending on your email solution, you could add a plain-text warning to the subject or body of the email, including directions for how employees should process such requests.

  • Attachment Analysis - If your email solution allows you to do such things you should definitely take advantage, even if it is focused purely on content going through the mail systems you identified for this effort.

  • Document Scanners and Analysis - There are several existing technologies that perform some degree of document analysis. In-house malware analysis engines and detonation tools like Cuckoo are perfect for this process. There are also a number of public sites you can turn to if you do not have these systems in house.

  • Automation - There are several approaches and opportunities you can use to automate this capability. For example, SOAR solutions can significantly reduce the burden on your staff by manifesting this process into a playbook by using email listeners, analyzing attachments, auto-responding to email queries, verifying links, and forwarding on trusted content to the right recipients. By the time I was done turning my ideas into this blog, my support team at Demisto already had a baseline playbook ready to go.

  • Prevention - It goes without saying that even with all of these options in place, some things may get through. Having a prevention solution like Cylance on your endpoints as part of your in-depth defense strategy can drastically reduce the impact of these attacks by stopping them before they get a foothold on your systems.

As I finish putting these thoughts together, you may have come to the same conclusions; this is just the beginning of GDPR as an attack surface. As May 25th fast approaches, it is worth considering similar risks that will manifest after enforcement begins. More orchestration between vendors and their customers will likely be required. Obligations, Urgency, and Attachments will be at the center of many engagements moving forward and will generate a ripe environment for compromise, absent suitable preparation and prevention strategies.

NOTE: This blog represents the opinions of the author only, and does not represent an official Cylance endorsement of any companies, services or products mentioned herein. Cylance is not paid nor otherwise compensated in any way by any company, service, or product mentioned in these blogs.